When a mobile node, such as a mobile phone, personal digital assistant (PDA), smartphone, wireless computing device, or mobile gateway roams from one place to another, it often switches its point of attachment from one base station (wireless access point) to another. This process of switching from one point of attachment to another is called a “handover.” Handover requires extensive background coordination among various network elements which support communications between the mobile node and the plurality of access points. Such background coordination includes extra signaling messages which involve some delay. A major portion of the time for handover related signaling involves transferring and verifying the mobile node's security related credentials from one base station to another. If the handover occurs between two base stations (points of attachment) that support the same type of network communication protocol, then such handover is called a “horizontal handover”, and the existing methods for such handover are quite efficient.
However, different types of communication protocols are continually emerging and coexist. Non-limiting examples of such communication protocols include Global System for Mobile (GSM), General Packet Radio Service (GPRS), Enhanced Data Rates for GSM (EDGE), Universal Mobile Telecommunications System (UMTS), Digital Enhanced Cordless Telecommunications (DECT), Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Evolution Data Optimized (EVDO), 3G, 4G, Long Term Evolution (LTE), Worldwide Interoperability for Microwave Access (WiMAX), IEEE 802.11x (WiFi), Bluetooth®, etc. In light of the many available communication protocols, mobile nodes frequently come fitted with multiple radio transceivers. A natural requirement arising from such flexible hardware is that mobile nodes should be able to roam among diverse types of access networks seamlessly just like they can now between base stations of the same technology. The corresponding handover between different types of access networks is called “vertical handover”.
This notion of “seamless mobility”, or roaming ability, among different types of access networks currently faces a serious challenge due to high delays incurred during vertical handover related signaling. A significant part of this signaling latency occurs during the process of authentication. Authentication refers to the process of verification of the mobile node's identity as it moves from one network to another.
Presently, there are three known ways to carry out authentication during a vertical handover process: 1) Full Authentication; 2) Reauthentication, and 3) Preauthentication. Full authentication between a mobile node and a point of attachment is carried out whenever the mobile node first sets up a connection through an access network. Three entities are involved in the authentication process, the mobile node, the point-of-attachment providing network access, and a back end authentication server.
Full Authentication takes a relatively long time to complete, and therefore, if it is used during a handover, the latency becomes too high to sustain an ongoing connection, and the connection is most likely to be dropped, especially in a scenario where the connection was supporting a voice communication where delays may become noticeable and can be unacceptable.
Alternatively, reauthentication may be carried out when the current and next networks have a prior agreement to share a master key. Unfortunately, reauthentication is not applicable in general across network administrative boundaries.
Currently, preauthentication is full authentication with a next point of attachment (NPoA) carried out by a mobile node while it is still connected with the current point of attachment (CPoA). In this case, a connection is first established between the CPoA and the NPoA, and the mobile node communicates all authentication related messages to the NPoA, through the CPoA. Unfortunately, since the authentication related messages, as part of current preauthentication processes, pass through an extra hop (between the CPoA and the NPoA in addition to the hop from the mobile node to the CPoA), the overall time taken to complete the process is longer than a direct full authentication. In an effort to mitigate the effect of such delays, some devices attempt to start the preauthentication process far in advance of the actual handover.
For media independent handover, the Extensible Authentication Protocol (EAP) has been adopted as the general authentication protocol as it offers the generality and required security guarantees for such inter-network transfers. A number of specific methods are supported by the EAP framework. Out of these, the EAP-TLS (Extensible Authentication Protocol-Transport Level Security) method offers the strongest authentication. Depending on the processing platform and algorithms used, in order to achieve an acceptable latency of 50 ms as per ITU recommendations, an EAP-TLS based preauthentication process must be started up to 31 seconds in advance of an imminent handover. Unfortunately, this is not feasible for most practical scenarios, especially where a mobile node user is moving at a high speed, and possible next points of access may not even be within range until shortly before the handover is needed. Furthermore, the amount of processing necessary at the mobile node for preauthentication can lead to dropping of packets even when it is connected to the previous base station.